Shellshock Could Be Worse than Heartbleed

Last week we reported on the latest bug, Shellshock, threatening the internet and potentially millions of websites and online devices. While Shellshock is potentially even worse than Heartbleed, which was widely publicized and discussed back in April, there are drastically varying opinions coming out about how bad it will be. As we reported last week, the U.S. governments Department of Homeland Security is rating this bug as a 10, on a scale of 1 to 10. In contrast, Apple has come out stating that while the bug is easy to exploit, most Apple customers do not have to worry and are safe from exposure to this. In their press release on Friday they stated,

 

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an Apple spokesperson told iMore. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

 

But Robert MacMillian, of Wired, has a very different forecast of what may happen next and how bad this may become. On Friday he wrote,

 

“A nasty bug in many of the world’s Linux and Unix operating systems could allow malicious hackers to create a computer worm that wreaks havoc on machines across the globe, security experts say.The flaw, called Shellshock, is being compared to last spring’sHeartbleed bug because it lets attackers do some nasty stuff — in this case, run unauthorized code — on a large number of Linux computer servers. The flaw lies in Bash, a standard Unix program that’s used to connect with the computer’s operating system ……… Because Shellshock is easy to exploit — it only takes about three lines of code to attack a vulnerable server — Lackey and other security experts think there’s a pretty good chance that someone will write a worm code that will jump from vulnerable system to vulnerable system, creating hassles for the world’s system administrators. “People are already exploiting it in the wild manually, so a worm is a natural outgrowth of that,” Lackey said.To exploit the bug, the bad guys need to connect to software such as PHP or DHCP — which use Bash to launch programs within the server’s operating system.”

 

 

How Bad Might It Be?

 

symantic

 

While there is wide speculation about how bad this is and how far it will go, the truth is that there are still some questions that the industry needs to know the answers to before any accurate speculation can take place. Such as; are all systems that use Bash vulnerable to the bug or no (such as Mac OS), how many Linux servers, applications and devices might be exposed and vulnerable, and how quickly can system patches be developed and implemented? When we have answers to this then we may be able to more accurately forecast impacts. So don’t panic just yet. The first thing you can do is go to, http://www.shellshocktest.com/, which is a simple test tool to help you determine if your system is exposed or not, or try  http://bashsmash.ccsir.org/. These are both simple tools and even they say they “may” not be 100% accurate. If you are an Apple user… novice or advanced, watch for patches and updates. If you are Linus user you might want to check out the following sites for advice and patches;

 

 

Run the tests, watch for updates and patches and of course, limit the amount of sensitive personal and financial information you keep on your device and, as always, be diligent in monitoring your systems performance.

You might also like